The ma-defend slot-policy command creates a board-based policy for management and service plane protection and enter the board-based policy view.
The undo ma-defend slot-policy command deletes a created board-based policy.
By default, no board-based policy is created.
Usage Scenario
To help the device defend against attacks or unauthorized logins initiated by sending protocol packets, management and service plane protection is used to prevent packets of a specified protocol or all protocols from being sent to the CPU. Using management and service plane protection improves device security and reliability and ensures normal network operation.
A board-based policy takes effect on a specified interface board. It simplifies configuration comparing with the method involving configuration on each interface of the board. To create a board-based policy, run the ma-defend slot-policy command.Configuration Impact
After a board-based policy has been configured and a rule has also been configured to prevent packets of a specified protocol or all protocols from reaching the CPU, specified packets will be directly discarded after arriving at any interface on the specified board.
Follow-up Procedure
Run the protocol command to configure a rule for a board-based policy to accept or discard packets of a specified protocol or all protocols before the packets are sent to the CPU.
Run the ma-defend-slot command to apply the configured policy to a specified board. You can also configure a global policy and apply it to the device or configure an interface-based policy and apply it to a specified interface.Precautions
In VS mode, this command is supported only by the admin VS.
<HUAWEI> system-view [~HUAWEI] ma-defend slot-policy 1 [*HUAWEI-app-sec-slot-1] protocol telnet deny [*HUAWEI-app-sec-slot-1] quit [*HUAWEI] slot 1 [*HUAWEI-slot-1] ma-defend-slot 1